Security.php 46 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382
  1. <?php
  2. /**
  3. * This file has the very important job of ensuring forum security.
  4. * This task includes banning and permissions, namely.
  5. *
  6. * Simple Machines Forum (SMF)
  7. *
  8. * @package SMF
  9. * @author Simple Machines http://www.simplemachines.org
  10. * @copyright 2013 Simple Machines and individual contributors
  11. * @license http://www.simplemachines.org/about/smf/license.php BSD
  12. *
  13. * @version 2.1 Alpha 1
  14. */
  15. if (!defined('SMF'))
  16. die('No direct access...');
  17. /**
  18. * Check if the user is who he/she says he is
  19. * Makes sure the user is who they claim to be by requiring a password to be typed in every hour.
  20. * Is turned on and off by the securityDisable setting.
  21. * Uses the adminLogin() function of Subs-Auth.php if they need to login, which saves all request (post and get) data.
  22. *
  23. * @param string $type = admin
  24. */
  25. function validateSession($type = 'admin')
  26. {
  27. global $modSettings, $sourcedir, $user_info, $sc, $user_settings;
  28. // We don't care if the option is off, because Guests should NEVER get past here.
  29. is_not_guest();
  30. // Validate what type of session check this is.
  31. $types = array();
  32. call_integration_hook('integrate_validateSession', array(&$types));
  33. $type = in_array($type, $types) || $type == 'moderate' ? $type : 'admin';
  34. // If we're using XML give an additional ten minutes grace as an admin can't log on in XML mode.
  35. $refreshTime = isset($_GET['xml']) ? 4200 : 3600;
  36. // Is the security option off?
  37. if (!empty($modSettings['securityDisable' . ($type != 'admin' ? '_' . $type : '')]))
  38. return;
  39. // Or are they already logged in?, Moderator or admin sesssion is need for this area
  40. if ((!empty($_SESSION[$type . '_time']) && $_SESSION[$type . '_time'] + $refreshTime >= time()) || (!empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + $refreshTime >= time()))
  41. return;
  42. require_once($sourcedir . '/Subs-Auth.php');
  43. // Hashed password, ahoy!
  44. if (isset($_POST[$type . '_hash_pass']) && strlen($_POST[$type . '_hash_pass']) == 40)
  45. {
  46. checkSession();
  47. $good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST[$type . '_hash_pass'], true)), true);
  48. if ($good_password || $_POST[$type . '_hash_pass'] == sha1($user_info['passwd'] . $sc))
  49. {
  50. $_SESSION[$type . '_time'] = time();
  51. unset($_SESSION['request_referer']);
  52. return;
  53. }
  54. }
  55. // Posting the password... check it.
  56. if (isset($_POST[$type. '_pass']))
  57. {
  58. checkSession();
  59. $good_password = in_array(true, call_integration_hook('integrate_verify_password', array($user_info['username'], $_POST[$type . '_pass'], false)), true);
  60. // Password correct?
  61. if ($good_password || sha1(strtolower($user_info['username']) . $_POST[$type . '_pass']) == $user_info['passwd'])
  62. {
  63. $_SESSION[$type . '_time'] = time();
  64. unset($_SESSION['request_referer']);
  65. return;
  66. }
  67. }
  68. // OpenID?
  69. if (!empty($user_settings['openid_uri']))
  70. {
  71. require_once($sourcedir . '/Subs-OpenID.php');
  72. smf_openID_revalidate();
  73. $_SESSION[$type . '_time'] = time();
  74. unset($_SESSION['request_referer']);
  75. return;
  76. }
  77. // Better be sure to remember the real referer
  78. if (empty($_SESSION['request_referer']))
  79. $_SESSION['request_referer'] = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
  80. elseif (empty($_POST))
  81. unset($_SESSION['request_referer']);
  82. // Need to type in a password for that, man.
  83. if (!isset($_GET['xml']))
  84. adminLogin($type);
  85. else
  86. return 'session_verify_fail';
  87. }
  88. /**
  89. * Require a user who is logged in. (not a guest.)
  90. * Checks if the user is currently a guest, and if so asks them to login with a message telling them why.
  91. * Message is what to tell them when asking them to login.
  92. *
  93. * @param string $message = ''
  94. */
  95. function is_not_guest($message = '')
  96. {
  97. global $user_info, $txt, $context, $scripturl;
  98. // Luckily, this person isn't a guest.
  99. if (isset($user_info['is_guest']) && !$user_info['is_guest'])
  100. return;
  101. // People always worry when they see people doing things they aren't actually doing...
  102. $_GET['action'] = '';
  103. $_GET['board'] = '';
  104. $_GET['topic'] = '';
  105. writeLog(true);
  106. // Just die.
  107. if (isset($_REQUEST['xml']))
  108. obExit(false);
  109. // Attempt to detect if they came from dlattach.
  110. if (!WIRELESS && SMF != 'SSI' && empty($context['theme_loaded']))
  111. loadTheme();
  112. // Never redirect to an attachment
  113. if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false)
  114. $_SESSION['login_url'] = $_SERVER['REQUEST_URL'];
  115. // Load the Login template and language file.
  116. loadLanguage('Login');
  117. // Are we in wireless mode?
  118. if (WIRELESS)
  119. {
  120. $context['login_error'] = $message ? $message : $txt['only_members_can_access'];
  121. $context['sub_template'] = WIRELESS_PROTOCOL . '_login';
  122. }
  123. // Apparently we're not in a position to handle this now. Let's go to a safer location for now.
  124. elseif (empty($context['template_layers']))
  125. {
  126. $_SESSION['login_url'] = $scripturl . '?' . $_SERVER['QUERY_STRING'];
  127. redirectexit('action=login');
  128. }
  129. else
  130. {
  131. loadTemplate('Login');
  132. $context['sub_template'] = 'kick_guest';
  133. $context['robot_no_index'] = true;
  134. }
  135. // Use the kick_guest sub template...
  136. $context['kick_message'] = $message;
  137. $context['page_title'] = $txt['login'];
  138. obExit();
  139. // We should never get to this point, but if we did we wouldn't know the user isn't a guest.
  140. trigger_error('Hacking attempt...', E_USER_ERROR);
  141. }
  142. /**
  143. * Do banning related stuff. (ie. disallow access....)
  144. * Checks if the user is banned, and if so dies with an error.
  145. * Caches this information for optimization purposes.
  146. * Forces a recheck if force_check is true.
  147. *
  148. * @param bool $forceCheck = false
  149. */
  150. function is_not_banned($forceCheck = false)
  151. {
  152. global $txt, $modSettings, $context, $user_info;
  153. global $sourcedir, $cookiename, $user_settings, $smcFunc;
  154. // You cannot be banned if you are an admin - doesn't help if you log out.
  155. if ($user_info['is_admin'])
  156. return;
  157. // Only check the ban every so often. (to reduce load.)
  158. if ($forceCheck || !isset($_SESSION['ban']) || empty($modSettings['banLastUpdated']) || ($_SESSION['ban']['last_checked'] < $modSettings['banLastUpdated']) || $_SESSION['ban']['id_member'] != $user_info['id'] || $_SESSION['ban']['ip'] != $user_info['ip'] || $_SESSION['ban']['ip2'] != $user_info['ip2'] || (isset($user_info['email'], $_SESSION['ban']['email']) && $_SESSION['ban']['email'] != $user_info['email']))
  159. {
  160. // Innocent until proven guilty. (but we know you are! :P)
  161. $_SESSION['ban'] = array(
  162. 'last_checked' => time(),
  163. 'id_member' => $user_info['id'],
  164. 'ip' => $user_info['ip'],
  165. 'ip2' => $user_info['ip2'],
  166. 'email' => $user_info['email'],
  167. );
  168. $ban_query = array();
  169. $ban_query_vars = array('current_time' => time());
  170. $flag_is_activated = false;
  171. // Check both IP addresses.
  172. foreach (array('ip', 'ip2') as $ip_number)
  173. {
  174. if ($ip_number == 'ip2' && $user_info['ip2'] == $user_info['ip'])
  175. continue;
  176. $ban_query[] = constructBanQueryIP($user_info[$ip_number]);
  177. // IP was valid, maybe there's also a hostname...
  178. if (empty($modSettings['disableHostnameLookup']) && $user_info[$ip_number] != 'unknown')
  179. {
  180. $hostname = host_from_ip($user_info[$ip_number]);
  181. if (strlen($hostname) > 0)
  182. {
  183. $ban_query[] = '({string:hostname} LIKE bi.hostname)';
  184. $ban_query_vars['hostname'] = $hostname;
  185. }
  186. }
  187. }
  188. // Is their email address banned?
  189. if (strlen($user_info['email']) != 0)
  190. {
  191. $ban_query[] = '({string:email} LIKE bi.email_address)';
  192. $ban_query_vars['email'] = $user_info['email'];
  193. }
  194. // How about this user?
  195. if (!$user_info['is_guest'] && !empty($user_info['id']))
  196. {
  197. $ban_query[] = 'bi.id_member = {int:id_member}';
  198. $ban_query_vars['id_member'] = $user_info['id'];
  199. }
  200. // Check the ban, if there's information.
  201. if (!empty($ban_query))
  202. {
  203. $restrictions = array(
  204. 'cannot_access',
  205. 'cannot_login',
  206. 'cannot_post',
  207. 'cannot_register',
  208. );
  209. $request = $smcFunc['db_query']('', '
  210. SELECT bi.id_ban, bi.email_address, bi.id_member, bg.cannot_access, bg.cannot_register,
  211. bg.cannot_post, bg.cannot_login, bg.reason, IFNULL(bg.expire_time, 0) AS expire_time
  212. FROM {db_prefix}ban_items AS bi
  213. INNER JOIN {db_prefix}ban_groups AS bg ON (bg.id_ban_group = bi.id_ban_group AND (bg.expire_time IS NULL OR bg.expire_time > {int:current_time}))
  214. WHERE
  215. (' . implode(' OR ', $ban_query) . ')',
  216. $ban_query_vars
  217. );
  218. // Store every type of ban that applies to you in your session.
  219. while ($row = $smcFunc['db_fetch_assoc']($request))
  220. {
  221. foreach ($restrictions as $restriction)
  222. if (!empty($row[$restriction]))
  223. {
  224. $_SESSION['ban'][$restriction]['reason'] = $row['reason'];
  225. $_SESSION['ban'][$restriction]['ids'][] = $row['id_ban'];
  226. if (!isset($_SESSION['ban']['expire_time']) || ($_SESSION['ban']['expire_time'] != 0 && ($row['expire_time'] == 0 || $row['expire_time'] > $_SESSION['ban']['expire_time'])))
  227. $_SESSION['ban']['expire_time'] = $row['expire_time'];
  228. if (!$user_info['is_guest'] && $restriction == 'cannot_access' && ($row['id_member'] == $user_info['id'] || $row['email_address'] == $user_info['email']))
  229. $flag_is_activated = true;
  230. }
  231. }
  232. $smcFunc['db_free_result']($request);
  233. }
  234. // Mark the cannot_access and cannot_post bans as being 'hit'.
  235. if (isset($_SESSION['ban']['cannot_access']) || isset($_SESSION['ban']['cannot_post']) || isset($_SESSION['ban']['cannot_login']))
  236. log_ban(array_merge(isset($_SESSION['ban']['cannot_access']) ? $_SESSION['ban']['cannot_access']['ids'] : array(), isset($_SESSION['ban']['cannot_post']) ? $_SESSION['ban']['cannot_post']['ids'] : array(), isset($_SESSION['ban']['cannot_login']) ? $_SESSION['ban']['cannot_login']['ids'] : array()));
  237. // If for whatever reason the is_activated flag seems wrong, do a little work to clear it up.
  238. if ($user_info['id'] && (($user_settings['is_activated'] >= 10 && !$flag_is_activated)
  239. || ($user_settings['is_activated'] < 10 && $flag_is_activated)))
  240. {
  241. require_once($sourcedir . '/ManageBans.php');
  242. updateBanMembers();
  243. }
  244. }
  245. // Hey, I know you! You're ehm...
  246. if (!isset($_SESSION['ban']['cannot_access']) && !empty($_COOKIE[$cookiename . '_']))
  247. {
  248. $bans = explode(',', $_COOKIE[$cookiename . '_']);
  249. foreach ($bans as $key => $value)
  250. $bans[$key] = (int) $value;
  251. $request = $smcFunc['db_query']('', '
  252. SELECT bi.id_ban, bg.reason
  253. FROM {db_prefix}ban_items AS bi
  254. INNER JOIN {db_prefix}ban_groups AS bg ON (bg.id_ban_group = bi.id_ban_group)
  255. WHERE bi.id_ban IN ({array_int:ban_list})
  256. AND (bg.expire_time IS NULL OR bg.expire_time > {int:current_time})
  257. AND bg.cannot_access = {int:cannot_access}
  258. LIMIT ' . count($bans),
  259. array(
  260. 'cannot_access' => 1,
  261. 'ban_list' => $bans,
  262. 'current_time' => time(),
  263. )
  264. );
  265. while ($row = $smcFunc['db_fetch_assoc']($request))
  266. {
  267. $_SESSION['ban']['cannot_access']['ids'][] = $row['id_ban'];
  268. $_SESSION['ban']['cannot_access']['reason'] = $row['reason'];
  269. }
  270. $smcFunc['db_free_result']($request);
  271. // My mistake. Next time better.
  272. if (!isset($_SESSION['ban']['cannot_access']))
  273. {
  274. require_once($sourcedir . '/Subs-Auth.php');
  275. $cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
  276. smf_setcookie($cookiename . '_', '', time() - 3600, $cookie_url[1], $cookie_url[0], false, false);
  277. }
  278. }
  279. // If you're fully banned, it's end of the story for you.
  280. if (isset($_SESSION['ban']['cannot_access']))
  281. {
  282. // We don't wanna see you!
  283. if (!$user_info['is_guest'])
  284. $smcFunc['db_query']('', '
  285. DELETE FROM {db_prefix}log_online
  286. WHERE id_member = {int:current_member}',
  287. array(
  288. 'current_member' => $user_info['id'],
  289. )
  290. );
  291. // 'Log' the user out. Can't have any funny business... (save the name!)
  292. $old_name = isset($user_info['name']) && $user_info['name'] != '' ? $user_info['name'] : $txt['guest_title'];
  293. $user_info['name'] = '';
  294. $user_info['username'] = '';
  295. $user_info['is_guest'] = true;
  296. $user_info['is_admin'] = false;
  297. $user_info['permissions'] = array();
  298. $user_info['id'] = 0;
  299. $context['user'] = array(
  300. 'id' => 0,
  301. 'username' => '',
  302. 'name' => $txt['guest_title'],
  303. 'is_guest' => true,
  304. 'is_logged' => false,
  305. 'is_admin' => false,
  306. 'is_mod' => false,
  307. 'can_mod' => false,
  308. 'language' => $user_info['language'],
  309. );
  310. // A goodbye present.
  311. require_once($sourcedir . '/Subs-Auth.php');
  312. $cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
  313. smf_setcookie($cookiename . '_', implode(',', $_SESSION['ban']['cannot_access']['ids']), time() + 3153600, $cookie_url[1], $cookie_url[0], false, false);
  314. // Don't scare anyone, now.
  315. $_GET['action'] = '';
  316. $_GET['board'] = '';
  317. $_GET['topic'] = '';
  318. writeLog(true);
  319. // You banned, sucka!
  320. fatal_error(sprintf($txt['your_ban'], $old_name) . (empty($_SESSION['ban']['cannot_access']['reason']) ? '' : '<br />' . $_SESSION['ban']['cannot_access']['reason']) . '<br />' . (!empty($_SESSION['ban']['expire_time']) ? sprintf($txt['your_ban_expires'], timeformat($_SESSION['ban']['expire_time'], false)) : $txt['your_ban_expires_never']), 'user');
  321. // If we get here, something's gone wrong.... but let's try anyway.
  322. trigger_error('Hacking attempt...', E_USER_ERROR);
  323. }
  324. // You're not allowed to log in but yet you are. Let's fix that.
  325. elseif (isset($_SESSION['ban']['cannot_login']) && !$user_info['is_guest'])
  326. {
  327. // We don't wanna see you!
  328. $smcFunc['db_query']('', '
  329. DELETE FROM {db_prefix}log_online
  330. WHERE id_member = {int:current_member}',
  331. array(
  332. 'current_member' => $user_info['id'],
  333. )
  334. );
  335. // 'Log' the user out. Can't have any funny business... (save the name!)
  336. $old_name = isset($user_info['name']) && $user_info['name'] != '' ? $user_info['name'] : $txt['guest_title'];
  337. $user_info['name'] = '';
  338. $user_info['username'] = '';
  339. $user_info['is_guest'] = true;
  340. $user_info['is_admin'] = false;
  341. $user_info['permissions'] = array();
  342. $user_info['id'] = 0;
  343. $context['user'] = array(
  344. 'id' => 0,
  345. 'username' => '',
  346. 'name' => $txt['guest_title'],
  347. 'is_guest' => true,
  348. 'is_logged' => false,
  349. 'is_admin' => false,
  350. 'is_mod' => false,
  351. 'can_mod' => false,
  352. 'language' => $user_info['language'],
  353. );
  354. // SMF's Wipe 'n Clean(r) erases all traces.
  355. $_GET['action'] = '';
  356. $_GET['board'] = '';
  357. $_GET['topic'] = '';
  358. writeLog(true);
  359. require_once($sourcedir . '/LogInOut.php');
  360. Logout(true, false);
  361. fatal_error(sprintf($txt['your_ban'], $old_name) . (empty($_SESSION['ban']['cannot_login']['reason']) ? '' : '<br />' . $_SESSION['ban']['cannot_login']['reason']) . '<br />' . (!empty($_SESSION['ban']['expire_time']) ? sprintf($txt['your_ban_expires'], timeformat($_SESSION['ban']['expire_time'], false)) : $txt['your_ban_expires_never']) . '<br />' . $txt['ban_continue_browse'], 'user');
  362. }
  363. // Fix up the banning permissions.
  364. if (isset($user_info['permissions']))
  365. banPermissions();
  366. }
  367. /**
  368. * Fix permissions according to ban status.
  369. * Applies any states of banning by removing permissions the user cannot have.
  370. */
  371. function banPermissions()
  372. {
  373. global $user_info, $sourcedir, $modSettings, $context;
  374. // Somehow they got here, at least take away all permissions...
  375. if (isset($_SESSION['ban']['cannot_access']))
  376. $user_info['permissions'] = array();
  377. // Okay, well, you can watch, but don't touch a thing.
  378. elseif (isset($_SESSION['ban']['cannot_post']) || (!empty($modSettings['warning_mute']) && $modSettings['warning_mute'] <= $user_info['warning']))
  379. {
  380. $denied_permissions = array(
  381. 'pm_send',
  382. 'calendar_post', 'calendar_edit_own', 'calendar_edit_any',
  383. 'poll_post',
  384. 'poll_add_own', 'poll_add_any',
  385. 'poll_edit_own', 'poll_edit_any',
  386. 'poll_lock_own', 'poll_lock_any',
  387. 'poll_remove_own', 'poll_remove_any',
  388. 'manage_attachments', 'manage_smileys', 'manage_boards', 'admin_forum', 'manage_permissions',
  389. 'moderate_forum', 'manage_membergroups', 'manage_bans', 'send_mail', 'edit_news',
  390. 'profile_identity_any', 'profile_extra_any', 'profile_title_any',
  391. 'post_new', 'post_reply_own', 'post_reply_any',
  392. 'delete_own', 'delete_any', 'delete_replies',
  393. 'make_sticky',
  394. 'merge_any', 'split_any',
  395. 'modify_own', 'modify_any', 'modify_replies',
  396. 'move_any',
  397. 'send_topic',
  398. 'lock_own', 'lock_any',
  399. 'remove_own', 'remove_any',
  400. 'post_unapproved_topics', 'post_unapproved_replies_own', 'post_unapproved_replies_any',
  401. );
  402. call_integration_hook('integrate_post_ban_permissions', array(&$denied_permissions));
  403. $user_info['permissions'] = array_diff($user_info['permissions'], $denied_permissions);
  404. }
  405. // Are they absolutely under moderation?
  406. elseif (!empty($modSettings['warning_moderate']) && $modSettings['warning_moderate'] <= $user_info['warning'])
  407. {
  408. // Work out what permissions should change...
  409. $permission_change = array(
  410. 'post_new' => 'post_unapproved_topics',
  411. 'post_reply_own' => 'post_unapproved_replies_own',
  412. 'post_reply_any' => 'post_unapproved_replies_any',
  413. 'post_attachment' => 'post_unapproved_attachments',
  414. );
  415. call_integration_hook('integrate_warn_permissions', array(&$permission_change));
  416. foreach ($permission_change as $old => $new)
  417. {
  418. if (!in_array($old, $user_info['permissions']))
  419. unset($permission_change[$old]);
  420. else
  421. $user_info['permissions'][] = $new;
  422. }
  423. $user_info['permissions'] = array_diff($user_info['permissions'], array_keys($permission_change));
  424. }
  425. // @todo Find a better place to call this? Needs to be after permissions loaded!
  426. // Finally, some bits we cache in the session because it saves queries.
  427. if (isset($_SESSION['mc']) && $_SESSION['mc']['time'] > $modSettings['settings_updated'] && $_SESSION['mc']['id'] == $user_info['id'])
  428. $user_info['mod_cache'] = $_SESSION['mc'];
  429. else
  430. {
  431. require_once($sourcedir . '/Subs-Auth.php');
  432. rebuildModCache();
  433. }
  434. // Now that we have the mod cache taken care of lets setup a cache for the number of mod reports still open
  435. if (isset($_SESSION['rc']) && $_SESSION['rc']['time'] > $modSettings['last_mod_report_action'] && $_SESSION['rc']['id'] == $user_info['id'])
  436. $context['open_mod_reports'] = $_SESSION['rc']['reports'];
  437. elseif ($_SESSION['mc']['bq'] != '0=1')
  438. {
  439. require_once($sourcedir . '/ModerationCenter.php');
  440. recountOpenReports();
  441. }
  442. else
  443. $context['open_mod_reports'] = 0;
  444. }
  445. /**
  446. * Log a ban in the database.
  447. * Log the current user in the ban logs.
  448. * Increment the hit counters for the specified ban ID's (if any.)
  449. *
  450. * @param array $ban_ids = array()
  451. * @param string $email = null
  452. */
  453. function log_ban($ban_ids = array(), $email = null)
  454. {
  455. global $user_info, $smcFunc;
  456. // Don't log web accelerators, it's very confusing...
  457. if (isset($_SERVER['HTTP_X_MOZ']) && $_SERVER['HTTP_X_MOZ'] == 'prefetch')
  458. return;
  459. $smcFunc['db_insert']('',
  460. '{db_prefix}log_banned',
  461. array('id_member' => 'int', 'ip' => 'string-16', 'email' => 'string', 'log_time' => 'int'),
  462. array($user_info['id'], $user_info['ip'], ($email === null ? ($user_info['is_guest'] ? '' : $user_info['email']) : $email), time()),
  463. array('id_ban_log')
  464. );
  465. // One extra point for these bans.
  466. if (!empty($ban_ids))
  467. $smcFunc['db_query']('', '
  468. UPDATE {db_prefix}ban_items
  469. SET hits = hits + 1
  470. WHERE id_ban IN ({array_int:ban_ids})',
  471. array(
  472. 'ban_ids' => $ban_ids,
  473. )
  474. );
  475. }
  476. /**
  477. * Checks if a given email address might be banned.
  478. * Check if a given email is banned.
  479. * Performs an immediate ban if the turns turns out positive.
  480. *
  481. * @param string $email
  482. * @param string $restriction
  483. * @param string $error
  484. */
  485. function isBannedEmail($email, $restriction, $error)
  486. {
  487. global $txt, $smcFunc;
  488. // Can't ban an empty email
  489. if (empty($email) || trim($email) == '')
  490. return;
  491. // Let's start with the bans based on your IP/hostname/memberID...
  492. $ban_ids = isset($_SESSION['ban'][$restriction]) ? $_SESSION['ban'][$restriction]['ids'] : array();
  493. $ban_reason = isset($_SESSION['ban'][$restriction]) ? $_SESSION['ban'][$restriction]['reason'] : '';
  494. // ...and add to that the email address you're trying to register.
  495. $request = $smcFunc['db_query']('', '
  496. SELECT bi.id_ban, bg.' . $restriction . ', bg.cannot_access, bg.reason
  497. FROM {db_prefix}ban_items AS bi
  498. INNER JOIN {db_prefix}ban_groups AS bg ON (bg.id_ban_group = bi.id_ban_group)
  499. WHERE {string:email} LIKE bi.email_address
  500. AND (bg.' . $restriction . ' = {int:cannot_access} OR bg.cannot_access = {int:cannot_access})
  501. AND (bg.expire_time IS NULL OR bg.expire_time >= {int:now})',
  502. array(
  503. 'email' => $email,
  504. 'cannot_access' => 1,
  505. 'now' => time(),
  506. )
  507. );
  508. while ($row = $smcFunc['db_fetch_assoc']($request))
  509. {
  510. if (!empty($row['cannot_access']))
  511. {
  512. $_SESSION['ban']['cannot_access']['ids'][] = $row['id_ban'];
  513. $_SESSION['ban']['cannot_access']['reason'] = $row['reason'];
  514. }
  515. if (!empty($row[$restriction]))
  516. {
  517. $ban_ids[] = $row['id_ban'];
  518. $ban_reason = $row['reason'];
  519. }
  520. }
  521. $smcFunc['db_free_result']($request);
  522. // You're in biiig trouble. Banned for the rest of this session!
  523. if (isset($_SESSION['ban']['cannot_access']))
  524. {
  525. log_ban($_SESSION['ban']['cannot_access']['ids']);
  526. $_SESSION['ban']['last_checked'] = time();
  527. fatal_error(sprintf($txt['your_ban'], $txt['guest_title']) . $_SESSION['ban']['cannot_access']['reason'], false);
  528. }
  529. if (!empty($ban_ids))
  530. {
  531. // Log this ban for future reference.
  532. log_ban($ban_ids, $email);
  533. fatal_error($error . $ban_reason, false);
  534. }
  535. }
  536. /**
  537. * Make sure the user's correct session was passed, and they came from here.
  538. * Checks the current session, verifying that the person is who he or she should be.
  539. * Also checks the referrer to make sure they didn't get sent here.
  540. * Depends on the disableCheckUA setting, which is usually missing.
  541. * Will check GET, POST, or REQUEST depending on the passed type.
  542. * Also optionally checks the referring action if passed. (note that the referring action must be by GET.)
  543. *
  544. * @param string $type = 'post' (post, get, request)
  545. * @param string $from_action = ''
  546. * @param bool $is_fatal = true
  547. * @return string the error message if is_fatal is false.
  548. */
  549. function checkSession($type = 'post', $from_action = '', $is_fatal = true)
  550. {
  551. global $sc, $modSettings, $boardurl;
  552. // Is it in as $_POST['sc']?
  553. if ($type == 'post')
  554. {
  555. $check = isset($_POST[$_SESSION['session_var']]) ? $_POST[$_SESSION['session_var']] : (empty($modSettings['strictSessionCheck']) && isset($_POST['sc']) ? $_POST['sc'] : null);
  556. if ($check !== $sc)
  557. $error = 'session_timeout';
  558. }
  559. // How about $_GET['sesc']?
  560. elseif ($type == 'get')
  561. {
  562. $check = isset($_GET[$_SESSION['session_var']]) ? $_GET[$_SESSION['session_var']] : (empty($modSettings['strictSessionCheck']) && isset($_GET['sesc']) ? $_GET['sesc'] : null);
  563. if ($check !== $sc)
  564. $error = 'session_verify_fail';
  565. }
  566. // Or can it be in either?
  567. elseif ($type == 'request')
  568. {
  569. $check = isset($_GET[$_SESSION['session_var']]) ? $_GET[$_SESSION['session_var']] : (empty($modSettings['strictSessionCheck']) && isset($_GET['sesc']) ? $_GET['sesc'] : (isset($_POST[$_SESSION['session_var']]) ? $_POST[$_SESSION['session_var']] : (empty($modSettings['strictSessionCheck']) && isset($_POST['sc']) ? $_POST['sc'] : null)));
  570. if ($check !== $sc)
  571. $error = 'session_verify_fail';
  572. }
  573. // Verify that they aren't changing user agents on us - that could be bad.
  574. if ((!isset($_SESSION['USER_AGENT']) || $_SESSION['USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) && empty($modSettings['disableCheckUA']))
  575. $error = 'session_verify_fail';
  576. // Make sure a page with session check requirement is not being prefetched.
  577. if (isset($_SERVER['HTTP_X_MOZ']) && $_SERVER['HTTP_X_MOZ'] == 'prefetch')
  578. {
  579. ob_end_clean();
  580. header('HTTP/1.1 403 Forbidden');
  581. die;
  582. }
  583. // Check the referring site - it should be the same server at least!
  584. if (isset($_SESSION['request_referer']))
  585. $referrer = $_SESSION['request_referer'];
  586. else
  587. $referrer = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
  588. if (!empty($referrer['host']))
  589. {
  590. if (strpos($_SERVER['HTTP_HOST'], ':') !== false)
  591. $real_host = substr($_SERVER['HTTP_HOST'], 0, strpos($_SERVER['HTTP_HOST'], ':'));
  592. else
  593. $real_host = $_SERVER['HTTP_HOST'];
  594. $parsed_url = parse_url($boardurl);
  595. // Are global cookies on? If so, let's check them ;).
  596. if (!empty($modSettings['globalCookies']))
  597. {
  598. if (preg_match('~(?:[^\.]+\.)?([^\.]{3,}\..+)\z~i', $parsed_url['host'], $parts) == 1)
  599. $parsed_url['host'] = $parts[1];
  600. if (preg_match('~(?:[^\.]+\.)?([^\.]{3,}\..+)\z~i', $referrer['host'], $parts) == 1)
  601. $referrer['host'] = $parts[1];
  602. if (preg_match('~(?:[^\.]+\.)?([^\.]{3,}\..+)\z~i', $real_host, $parts) == 1)
  603. $real_host = $parts[1];
  604. }
  605. // Okay: referrer must either match parsed_url or real_host.
  606. if (isset($parsed_url['host']) && strtolower($referrer['host']) != strtolower($parsed_url['host']) && strtolower($referrer['host']) != strtolower($real_host))
  607. {
  608. $error = 'verify_url_fail';
  609. $log_error = true;
  610. }
  611. }
  612. // Well, first of all, if a from_action is specified you'd better have an old_url.
  613. if (!empty($from_action) && (!isset($_SESSION['old_url']) || preg_match('~[?;&]action=' . $from_action . '([;&]|$)~', $_SESSION['old_url']) == 0))
  614. {
  615. $error = 'verify_url_fail';
  616. $log_error = true;
  617. }
  618. if (strtolower($_SERVER['HTTP_USER_AGENT']) == 'hacker')
  619. fatal_error('Sound the alarm! It\'s a hacker! Close the castle gates!!', false);
  620. // Everything is ok, return an empty string.
  621. if (!isset($error))
  622. return '';
  623. // A session error occurred, show the error.
  624. elseif ($is_fatal)
  625. {
  626. if (isset($_GET['xml']))
  627. {
  628. ob_end_clean();
  629. header('HTTP/1.1 403 Forbidden - Session timeout');
  630. die;
  631. }
  632. else
  633. fatal_lang_error($error, isset($log_error) ? 'user' : false);
  634. }
  635. // A session error occurred, return the error to the calling function.
  636. else
  637. return $error;
  638. // We really should never fall through here, for very important reasons. Let's make sure.
  639. trigger_error('Hacking attempt...', E_USER_ERROR);
  640. }
  641. /**
  642. * Check if a specific confirm parameter was given.
  643. *
  644. * @param string $action
  645. */
  646. function checkConfirm($action)
  647. {
  648. global $modSettings;
  649. if (isset($_GET['confirm']) && isset($_SESSION['confirm_' . $action]) && md5($_GET['confirm'] . $_SERVER['HTTP_USER_AGENT']) == $_SESSION['confirm_' . $action])
  650. return true;
  651. else
  652. {
  653. $token = md5(mt_rand() . session_id() . (string) microtime() . $modSettings['rand_seed']);
  654. $_SESSION['confirm_' . $action] = md5($token . $_SERVER['HTTP_USER_AGENT']);
  655. return $token;
  656. }
  657. }
  658. /**
  659. * Lets give you a token of our appreciation.
  660. *
  661. * @param string $action
  662. * @param string $type = 'post'
  663. * @return array
  664. */
  665. function createToken($action, $type = 'post')
  666. {
  667. global $modSettings, $context;
  668. $token = md5(mt_rand() . session_id() . (string) microtime() . $modSettings['rand_seed'] . $type);
  669. $token_var = substr(preg_replace('~^\d+~', '', md5(mt_rand() . (string) microtime() . mt_rand())), 0, rand(7, 12));
  670. $_SESSION['token'][$type . '-' . $action] = array($token_var, md5($token . $_SERVER['HTTP_USER_AGENT']), time(), $token);
  671. $context[$action . '_token'] = $token;
  672. $context[$action . '_token_var'] = $token_var;
  673. return array($action . '_token_var' => $token_var, $action . '_token' => $token);
  674. }
  675. /**
  676. * Only patrons with valid tokens can ride this ride.
  677. *
  678. * @param string $action
  679. * @param string $type = 'post' (get, request, or post)
  680. * @param bool $reset = true
  681. * @return boolean
  682. */
  683. function validateToken($action, $type = 'post', $reset = true)
  684. {
  685. global $modSettings, $db_show_debug;
  686. // Sorry, but token are not the best while debugging
  687. // @todo: remove before commit...
  688. if (!empty($db_show_debug))
  689. return true;
  690. $type = $type == 'get' || $type == 'request' ? $type : 'post';
  691. // Logins are special: the token is used to has the password with javascript before POST it
  692. if ($action == 'login')
  693. {
  694. if (isset($_SESSION['token'][$type . '-' . $action]))
  695. {
  696. $return = $_SESSION['token'][$type . '-' . $action][3];
  697. unset($_SESSION['token'][$type . '-' . $action]);
  698. return $return;
  699. }
  700. else
  701. return '';
  702. }
  703. // This nasty piece of code validates a token.
  704. /*
  705. 1. The token exists in session.
  706. 2. The {$type} variable should exist.
  707. 3. We concat the variable we received with the user agent
  708. 4. Match that result against what is in the session.
  709. 5. If it matchs, success, otherwise we fallout.
  710. */
  711. if (isset($_SESSION['token'][$type . '-' . $action], $GLOBALS['_' . strtoupper($type)][$_SESSION['token'][$type . '-' . $action][0]]) && md5($GLOBALS['_' . strtoupper($type)][$_SESSION['token'][$type . '-' . $action][0]] . $_SERVER['HTTP_USER_AGENT']) == $_SESSION['token'][$type . '-' . $action][1])
  712. {
  713. // Invalidate this token now.
  714. unset($_SESSION['token'][$type . '-' . $action]);
  715. return true;
  716. }
  717. // Patrons with invalid tokens get the boot.
  718. if ($reset)
  719. {
  720. // Might as well do some cleanup on this.
  721. cleanTokens();
  722. // I'm back baby.
  723. createToken($action, $type);
  724. fatal_lang_error('token_verify_fail', false);
  725. }
  726. // Remove this token as its useless
  727. else
  728. unset($_SESSION['token'][$type . '-' . $action]);
  729. // Randomly check if we should remove some older tokens.
  730. if (mt_rand(0, 138) == 23)
  731. cleanTokens();
  732. return false;
  733. }
  734. /**
  735. * Removes old unused tokens from session
  736. * defaults to 3 hours before a token is considered expired
  737. * if $complete = true will remove all tokens
  738. *
  739. * @param bool $complete = false
  740. */
  741. function cleanTokens($complete = false)
  742. {
  743. // We appreciate cleaning up after yourselves.
  744. if (!isset($_SESSION['token']))
  745. return;
  746. // Clean up tokens, trying to give enough time still.
  747. foreach ($_SESSION['token'] as $key => $data)
  748. if ($data[2] + 10800 < time() || $complete)
  749. unset($_SESSION['token'][$key]);
  750. }
  751. /**
  752. * Check whether a form has been submitted twice.
  753. * Registers a sequence number for a form.
  754. * Checks whether a submitted sequence number is registered in the current session.
  755. * Depending on the value of is_fatal shows an error or returns true or false.
  756. * Frees a sequence number from the stack after it's been checked.
  757. * Frees a sequence number without checking if action == 'free'.
  758. *
  759. * @param string $action
  760. * @param bool $is_fatal = true
  761. * @return boolean
  762. */
  763. function checkSubmitOnce($action, $is_fatal = true)
  764. {
  765. global $context;
  766. if (!isset($_SESSION['forms']))
  767. $_SESSION['forms'] = array();
  768. // Register a form number and store it in the session stack. (use this on the page that has the form.)
  769. if ($action == 'register')
  770. {
  771. $context['form_sequence_number'] = 0;
  772. while (empty($context['form_sequence_number']) || in_array($context['form_sequence_number'], $_SESSION['forms']))
  773. $context['form_sequence_number'] = mt_rand(1, 16000000);
  774. }
  775. // Check whether the submitted number can be found in the session.
  776. elseif ($action == 'check')
  777. {
  778. if (!isset($_REQUEST['seqnum']))
  779. return true;
  780. elseif (!in_array($_REQUEST['seqnum'], $_SESSION['forms']))
  781. {
  782. $_SESSION['forms'][] = (int) $_REQUEST['seqnum'];
  783. return true;
  784. }
  785. elseif ($is_fatal)
  786. fatal_lang_error('error_form_already_submitted', false);
  787. else
  788. return false;
  789. }
  790. // Don't check, just free the stack number.
  791. elseif ($action == 'free' && isset($_REQUEST['seqnum']) && in_array($_REQUEST['seqnum'], $_SESSION['forms']))
  792. $_SESSION['forms'] = array_diff($_SESSION['forms'], array($_REQUEST['seqnum']));
  793. elseif ($action != 'free')
  794. trigger_error('checkSubmitOnce(): Invalid action \'' . $action . '\'', E_USER_WARNING);
  795. }
  796. /**
  797. * Check the user's permissions.
  798. * checks whether the user is allowed to do permission. (ie. post_new.)
  799. * If boards is specified, checks those boards instead of the current one.
  800. * Always returns true if the user is an administrator.
  801. *
  802. * @param string $permission
  803. * @param array $boards = null
  804. * @return boolean if the user can do the permission
  805. */
  806. function allowedTo($permission, $boards = null)
  807. {
  808. global $user_info, $modSettings, $smcFunc;
  809. // You're always allowed to do nothing. (unless you're a working man, MR. LAZY :P!)
  810. if (empty($permission))
  811. return true;
  812. // You're never allowed to do something if your data hasn't been loaded yet!
  813. if (empty($user_info))
  814. return false;
  815. // Administrators are supermen :P.
  816. if ($user_info['is_admin'])
  817. return true;
  818. // Are we checking the _current_ board, or some other boards?
  819. if ($boards === null)
  820. {
  821. // Check if they can do it.
  822. if (!is_array($permission) && in_array($permission, $user_info['permissions']))
  823. return true;
  824. // Search for any of a list of permissions.
  825. elseif (is_array($permission) && count(array_intersect($permission, $user_info['permissions'])) != 0)
  826. return true;
  827. // You aren't allowed, by default.
  828. else
  829. return false;
  830. }
  831. elseif (!is_array($boards))
  832. $boards = array($boards);
  833. $request = $smcFunc['db_query']('', '
  834. SELECT MIN(bp.add_deny) AS add_deny
  835. FROM {db_prefix}boards AS b
  836. INNER JOIN {db_prefix}board_permissions AS bp ON (bp.id_profile = b.id_profile)
  837. LEFT JOIN {db_prefix}moderators AS mods ON (mods.id_board = b.id_board AND mods.id_member = {int:current_member})
  838. LEFT JOIN {db_prefix}moderator_groups AS modgs ON (modgs.id_board = b.id_board AND b.id_group IN ({array_int:group_list})
  839. WHERE b.id_board IN ({array_int:board_list})
  840. AND bp.id_group IN ({array_int:group_list}, {int:moderator_group})
  841. AND bp.permission {raw:permission_list}
  842. AND (mods.id_member IS NOT NULL OR modgs.id_group IS NOT NULL OR bp.id_group != {int:moderator_group})
  843. GROUP BY b.id_board',
  844. array(
  845. 'current_member' => $user_info['id'],
  846. 'board_list' => $boards,
  847. 'group_list' => $user_info['groups'],
  848. 'moderator_group' => 3,
  849. 'permission_list' => (is_array($permission) ? 'IN (\'' . implode('\', \'', $permission) . '\')' : ' = \'' . $permission . '\''),
  850. )
  851. );
  852. // Make sure they can do it on all of the boards.
  853. if ($smcFunc['db_num_rows']($request) != count($boards))
  854. return false;
  855. $result = true;
  856. while ($row = $smcFunc['db_fetch_assoc']($request))
  857. $result &= !empty($row['add_deny']);
  858. $smcFunc['db_free_result']($request);
  859. // If the query returned 1, they can do it... otherwise, they can't.
  860. return $result;
  861. }
  862. /**
  863. * Fatal error if they cannot.
  864. * Uses allowedTo() to check if the user is allowed to do permission.
  865. * Checks the passed boards or current board for the permission.
  866. * If they are not, it loads the Errors language file and shows an error using $txt['cannot_' . $permission].
  867. * If they are a guest and cannot do it, this calls is_not_guest().
  868. *
  869. * @param string $permission
  870. * @param array $boards = null
  871. */
  872. function isAllowedTo($permission, $boards = null)
  873. {
  874. global $user_info, $txt;
  875. static $heavy_permissions = array(
  876. 'admin_forum',
  877. 'manage_attachments',
  878. 'manage_smileys',
  879. 'manage_boards',
  880. 'edit_news',
  881. 'moderate_forum',
  882. 'manage_bans',
  883. 'manage_membergroups',
  884. 'manage_permissions',
  885. );
  886. // Make it an array, even if a string was passed.
  887. $permission = is_array($permission) ? $permission : array($permission);
  888. // Check the permission and return an error...
  889. if (!allowedTo($permission, $boards))
  890. {
  891. // Pick the last array entry as the permission shown as the error.
  892. $error_permission = array_shift($permission);
  893. // If they are a guest, show a login. (because the error might be gone if they do!)
  894. if ($user_info['is_guest'])
  895. {
  896. loadLanguage('Errors');
  897. is_not_guest($txt['cannot_' . $error_permission]);
  898. }
  899. // Clear the action because they aren't really doing that!
  900. $_GET['action'] = '';
  901. $_GET['board'] = '';
  902. $_GET['topic'] = '';
  903. writeLog(true);
  904. fatal_lang_error('cannot_' . $error_permission, false);
  905. // Getting this far is a really big problem, but let's try our best to prevent any cases...
  906. trigger_error('Hacking attempt...', E_USER_ERROR);
  907. }
  908. // If you're doing something on behalf of some "heavy" permissions, validate your session.
  909. // (take out the heavy permissions, and if you can't do anything but those, you need a validated session.)
  910. if (!allowedTo(array_diff($permission, $heavy_permissions), $boards))
  911. validateSession();
  912. }
  913. /**
  914. * Return the boards a user has a certain (board) permission on. (array(0) if all.)
  915. * - returns a list of boards on which the user is allowed to do the specified permission.
  916. * - returns an array with only a 0 in it if the user has permission to do this on every board.
  917. * - returns an empty array if he or she cannot do this on any board.
  918. * If check_access is true will also make sure the group has proper access to that board.
  919. *
  920. * @param array $permissions
  921. * @param bool $check_access = true
  922. * @param bool $simple = true
  923. */
  924. function boardsAllowedTo($permissions, $check_access = true, $simple = true)
  925. {
  926. global $user_info, $modSettings, $smcFunc;
  927. // Arrays are nice, most of the time.
  928. if (!is_array($permissions))
  929. $permissions = array($permissions);
  930. /*
  931. * Set $simple to true to use this function as it were in SMF 2.0.x.
  932. * Otherwise, the resultant array becomes split into the multiple
  933. * permissions that were passed. Other than that, it's just the normal
  934. * state of play that you're used to.
  935. */
  936. // Administrators are all powerful, sorry.
  937. if ($user_info['is_admin'])
  938. {
  939. if ($simple)
  940. return array(0);
  941. else
  942. {
  943. $boards = array();
  944. foreach ($permissions as $permission)
  945. $boards[$permission] = array(0);
  946. return $boards;
  947. }
  948. }
  949. // All groups the user is in except 'moderator'.
  950. $groups = array_diff($user_info['groups'], array(3));
  951. $request = $smcFunc['db_query']('', '
  952. SELECT b.id_board, bp.add_deny' . ($simple ? '' : ', bp.permission') . '
  953. FROM {db_prefix}board_permissions AS bp
  954. INNER JOIN {db_prefix}boards AS b ON (b.id_profile = bp.id_profile)
  955. LEFT JOIN {db_prefix}moderators AS mods ON (mods.id_board = b.id_board AND mods.id_member = {int:current_member})
  956. LEFT JOIN {db_prefix}moderator_groups AS modgs ON (modgs.id_board = b.id_board AND modgs.id_group IN ({array_int:group_list}))
  957. WHERE bp.id_group IN ({array_int:group_list}, {int:moderator_group})
  958. AND bp.permission IN ({array_string:permissions})
  959. AND (mods.id_member IS NOT NULL OR modgs.id_group IS NOT NULL OR bp.id_group != {int:moderator_group})' .
  960. ($check_access ? ' AND {query_see_board}' : ''),
  961. array(
  962. 'current_member' => $user_info['id'],
  963. 'group_list' => $groups,
  964. 'moderator_group' => 3,
  965. 'permissions' => $permissions,
  966. )
  967. );
  968. $boards = array();
  969. $deny_boards = array();
  970. while ($row = $smcFunc['db_fetch_assoc']($request))
  971. {
  972. if ($simple)
  973. {
  974. if (empty($row['add_deny']))
  975. $deny_boards[] = $row['id_board'];
  976. else
  977. $boards[] = $row['id_board'];
  978. }
  979. else
  980. {
  981. if (empty($row['add_deny']))
  982. $deny_boards[$row['permission']][] = $row['id_board'];
  983. else
  984. $boards[$row['permission']][] = $row['id_board'];
  985. }
  986. }
  987. $smcFunc['db_free_result']($request);
  988. if ($simple)
  989. $boards = array_unique(array_values(array_diff($boards, $deny_boards)));
  990. else
  991. {
  992. foreach ($permissions as $permission)
  993. {
  994. // never had it to start with
  995. if (empty($boards[$permission]))
  996. $boards[$permission] = array();
  997. else
  998. {
  999. // Or it may have been removed
  1000. $deny_boards[$permission] = isset($deny_boards[$permission]) ? $deny_boards[$permission] : array();
  1001. $boards[$permission] = array_unique(array_values(array_diff($boards[$permission], $deny_boards[$permission])));
  1002. }
  1003. }
  1004. }
  1005. return $boards;
  1006. }
  1007. /**
  1008. * Returns whether an email address should be shown and how.
  1009. * Possible outcomes are
  1010. * 'yes': show the full email address
  1011. * 'yes_permission_override': show the full email address, either you
  1012. * are a moderator or it's your own email address.
  1013. * 'no_through_forum': don't show the email address, but do allow
  1014. * things to be mailed using the built-in forum mailer.
  1015. * 'no': keep the email address hidden.
  1016. *
  1017. * @param bool $userProfile_hideEmail
  1018. * @param int $userProfile_id
  1019. * @return string (yes, yes_permission_override, no_through_forum, no)
  1020. */
  1021. function showEmailAddress($userProfile_hideEmail, $userProfile_id)
  1022. {
  1023. global $modSettings, $user_info;
  1024. // Should this user's email address be shown?
  1025. // If you're guest and the forum is set to hide email for guests: no.
  1026. // If the user is post-banned: no.
  1027. // If it's your own profile and you've set your address hidden: yes_permission_override.
  1028. // If you're a moderator with sufficient permissions: yes_permission_override.
  1029. // If the user has set their email address to be hidden: no.
  1030. // If the forum is set to show full email addresses: yes.
  1031. // Otherwise: no_through_forum.
  1032. if ((!empty($modSettings['guest_hideContacts']) && $user_info['is_guest']) || isset($_SESSION['ban']['cannot_post']))
  1033. return 'no';
  1034. elseif ((!$user_info['is_guest'] && $user_info['id'] == $userProfile_id && !$userProfile_hideEmail) || allowedTo('moderate_forum'))
  1035. return 'yes_permission_override';
  1036. elseif ($userProfile_hideEmail)
  1037. return 'no';
  1038. elseif (!empty($modSettings['make_email_viewable']) )
  1039. return 'yes';
  1040. else
  1041. return 'no_through_forum';
  1042. }
  1043. /**
  1044. * This function attempts to protect from spammed messages and the like.
  1045. * The time taken depends on error_type - generally uses the modSetting.
  1046. *
  1047. * @param string $error_type used also as a $txt index. (not an actual string.)
  1048. * @return boolean
  1049. */
  1050. function spamProtection($error_type)
  1051. {
  1052. global $modSettings, $txt, $user_info, $smcFunc;
  1053. // Certain types take less/more time.
  1054. $timeOverrides = array(
  1055. 'login' => 2,
  1056. 'register' => 2,
  1057. 'remind' => 30,
  1058. 'sendtopic' => $modSettings['spamWaitTime'] * 4,
  1059. 'sendmail' => $modSettings['spamWaitTime'] * 5,
  1060. 'reporttm' => $modSettings['spamWaitTime'] * 4,
  1061. 'search' => !empty($modSettings['search_floodcontrol_time']) ? $modSettings['search_floodcontrol_time'] : 1,
  1062. );
  1063. call_integration_hook('integrate_spam_protection', array(&$timeOverrides));
  1064. // Moderators are free...
  1065. if (!allowedTo('moderate_board'))
  1066. $timeLimit = isset($timeOverrides[$error_type]) ? $timeOverrides[$error_type] : $modSettings['spamWaitTime'];
  1067. else
  1068. $timeLimit = 2;
  1069. // Delete old entries...
  1070. $smcFunc['db_query']('', '
  1071. DELETE FROM {db_prefix}log_floodcontrol
  1072. WHERE log_time < {int:log_time}
  1073. AND log_type = {string:log_type}',
  1074. array(
  1075. 'log_time' => time() - $timeLimit,
  1076. 'log_type' => $error_type,
  1077. )
  1078. );
  1079. // Add a new entry, deleting the old if necessary.
  1080. $smcFunc['db_insert']('replace',
  1081. '{db_prefix}log_floodcontrol',
  1082. array('ip' => 'string-16', 'log_time' => 'int', 'log_type' => 'string'),
  1083. array($user_info['ip'], time(), $error_type),
  1084. array('ip', 'log_type')
  1085. );
  1086. // If affected is 0 or 2, it was there already.
  1087. if ($smcFunc['db_affected_rows']() != 1)
  1088. {
  1089. // Spammer! You only have to wait a *few* seconds!
  1090. fatal_lang_error($error_type . '_WaitTime_broken', false, array($timeLimit));
  1091. return true;
  1092. }
  1093. // They haven't posted within the limit.
  1094. return false;
  1095. }
  1096. /**
  1097. * A generic function to create a pair of index.php and .htaccess files in a directory
  1098. *
  1099. * @param string $path the (absolute) directory path
  1100. * @param boolean $attachments if the directory is an attachments directory or not
  1101. * @return true on success error string if anything fails
  1102. */
  1103. function secureDirectory($path, $attachments = false)
  1104. {
  1105. if (empty($path))
  1106. return 'empty_path';
  1107. if (!is_writable($path))
  1108. return 'path_not_writable';
  1109. $directoryname = basename($path);
  1110. $errors = array();
  1111. $close = empty($attachments) ? '
  1112. </Files>' : '
  1113. Allow from localhost
  1114. </Files>
  1115. RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml';
  1116. if (file_exists($path . '/.htaccess'))
  1117. $errors[] = 'htaccess_exists';
  1118. else
  1119. {
  1120. $fh = @fopen($path . '/.htaccess', 'w');
  1121. if ($fh) {
  1122. fwrite($fh, '<Files *>
  1123. Order Deny,Allow
  1124. Deny from all' . $close);
  1125. fclose($fh);
  1126. }
  1127. $errors[] = 'htaccess_cannot_create_file';
  1128. }
  1129. if (file_exists($path . '/index.php'))
  1130. $errors[] = 'index-php_exists';
  1131. else
  1132. {
  1133. $fh = @fopen($path . '/index.php', 'w');
  1134. if ($fh) {
  1135. fwrite($fh, '<' . '?php
  1136. /**
  1137. * This file is here solely to protect your ' . $directoryname . ' directory.
  1138. */
  1139. // Look for Settings.php....
  1140. if (file_exists(dirname(dirname(__FILE__)) . \'/Settings.php\'))
  1141. {
  1142. // Found it!
  1143. require(dirname(dirname(__FILE__)) . \'/Settings.php\');
  1144. header(\'Location: \' . $boardurl);
  1145. }
  1146. // Can\'t find it... just forget it.
  1147. else
  1148. exit;
  1149. ?'. '>');
  1150. fclose($fh);
  1151. }
  1152. $errors[] = 'index-php_cannot_create_file';
  1153. }
  1154. if (!empty($errors))
  1155. return $errors;
  1156. else
  1157. return true;
  1158. }
  1159. /**
  1160. * Helper function that puts together a ban query for a given ip
  1161. * builds the query for ipv6, ipv4 or 255.255.255.255 depending on whats supplied
  1162. *
  1163. * @param string $fullip An IP address either IPv6 or not
  1164. * @return string A SQL condition
  1165. */
  1166. function constructBanQueryIP($fullip)
  1167. {
  1168. // First attempt a IPv6 address.
  1169. if (isValidIPv6($fullip))
  1170. {
  1171. $ip_parts = convertIPv6toInts($fullip);
  1172. $ban_query = '((' . $ip_parts[0] . ' BETWEEN bi.ip_low1 AND bi.ip_high1)
  1173. AND (' . $ip_parts[1] . ' BETWEEN bi.ip_low2 AND bi.ip_high2)
  1174. AND (' . $ip_parts[2] . ' BETWEEN bi.ip_low3 AND bi.ip_high3)
  1175. AND (' . $ip_parts[3] . ' BETWEEN bi.ip_low4 AND bi.ip_high4)
  1176. AND (' . $ip_parts[4] . ' BETWEEN bi.ip_low5 AND bi.ip_high5)
  1177. AND (' . $ip_parts[5] . ' BETWEEN bi.ip_low6 AND bi.ip_high6)
  1178. AND (' . $ip_parts[6] . ' BETWEEN bi.ip_low7 AND bi.ip_high7)
  1179. AND (' . $ip_parts[7] . ' BETWEEN bi.ip_low8 AND bi.ip_high8))';
  1180. }
  1181. // Check if we have a valid IPv4 address.
  1182. elseif (preg_match('/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/', $fullip, $ip_parts) == 1)
  1183. $ban_query = '((' . $ip_parts[1] . ' BETWEEN bi.ip_low1 AND bi.ip_high1)
  1184. AND (' . $ip_parts[2] . ' BETWEEN bi.ip_low2 AND bi.ip_high2)
  1185. AND (' . $ip_parts[3] . ' BETWEEN bi.ip_low3 AND bi.ip_high3)
  1186. AND (' . $ip_parts[4] . ' BETWEEN bi.ip_low4 AND bi.ip_high4))';
  1187. // We use '255.255.255.255' for 'unknown' since it's not valid anyway.
  1188. else
  1189. $ban_query = '(bi.ip_low1 = 255 AND bi.ip_high1 = 255
  1190. AND bi.ip_low2 = 255 AND bi.ip_high2 = 255
  1191. AND bi.ip_low3 = 255 AND bi.ip_high3 = 255
  1192. AND bi.ip_low4 = 255 AND bi.ip_high4 = 255)';
  1193. return $ban_query;
  1194. }
  1195. /**
  1196. * This sets the X-Frame-Options header.
  1197. *
  1198. * @param string $option the frame option, defaults to deny.
  1199. * @return void.
  1200. * @since 2.1
  1201. */
  1202. function frameOptionsHeader($override = null)
  1203. {
  1204. global $modSettings;
  1205. $option = 'SAMEORIGIN';
  1206. if (is_null($override) && !empty($modSettings['frame_security']))
  1207. $option = $modSettings['frame_security'];
  1208. elseif (in_array($override, array('SAMEORIGIN', 'DENY', 'SAMEORIGIN')))
  1209. $option = $override;
  1210. // Don't bother setting the header if we have disabled it.
  1211. if ($option == 'DISABLE')
  1212. return;
  1213. // Finally set it.
  1214. header('X-Frame-Options: ' . $option);
  1215. }
  1216. ?>